May 16 2022

StateRAMP Continues to Grow, Now Supports 10 States

The organization helps states save time and resources when vetting vendors.

A state-level program modeled after the Federal Risk and Authorization Management Program (FedRAMP) is now supporting government agencies in 10 states, offering them the same opportunity as federal agencies to work with third-party companies whose cloud-based services have been vetted. 

Launched with a pilot program in Arizona last year, StateRAMP now also includes government agencies in California, Florida, Georgia, Massachusetts, Michigan, New Hampshire, Oklahoma, North Carolina and Texas.

EXPLORE: How Alabama is modernizing its system for licensing drivers.

“Until StateRAMP, there was not a standardized method to provide state and local governments consistent, independent and ongoing validation of a product’s cyber posture,” says J.R. Sloan, StateRAMP president and Arizona CIO. “That left states on their own, expending valuable resources evaluating vendor compliance. StateRAMP allows us to work together with our counterparts in other states and in the vendor community toward a common standard.”

Typically, vendors who use or offer cloud products to deliver services must go through a tedious and time-consuming approval process to work with a state government — a process that must be repeated in each state.

Now, in the same way FedRAMP gives its stamp of approval to vendors that have met a set of security guidelines and are cleared to work with federal agencies, StateRAMP streamlines the approval process for state and local government agencies, Sloan told StateTech in an October interview. 

Click the banner below to get access to a customized content experience by becoming an Insider.

Compliance Certification Clears One Hurdle for Multiple States

StateRAMP calls the approach “verify once, use many.”

“We don’t need to do this 50 different ways, or even the same way 50 different times,” Sloan said. “We should be able to come up with a way for one entity to be able to do the verification, to be able to share the verification information with states where states can trust it.”

In Georgia, for example, the state government is already asking vendors to describe their security controls as they relate to the National Institute of Standards and Technology (NIST) Special Publication 800-53, a set of security and privacy controls for information systems and organizations.

“In many cases, they are mapping to NIST as a one-off for just our procurement, and we have to evaluate how each vendor is meeting the control for potentially 200-plus controls,” Georgia CTO Steve Nichols says. That’s why joining StateRAMP was particularly appealing to his state.

“StateRAMP certification moves this whole mapping and evaluation process upstream into the certification process. In the procurement, this would significantly decrease our work — and the vendors’ work — to evaluate the vendor’s security posture,” Nichols says. “We are all solving for the same problems here. We’ve seen a lot of benefit in pooling resources, so a state-specific version of FedRAMP was an easy sell for us.”

READ MORE: How Texas is tackling priorities ranging from remote work to cybersecurity.

Another perk of StateRAMP is that it provides ongoing continuous monitoring — another benefit that appealed to Nichols and his Massachusetts counterpart, Sean Hughes, whose state is in the process of joining the organization. 

By becoming a member of StateRAMP, Massachusetts will be able to “better manage third-party risk while verifying the security of service providers via a continuous security assessment framework and monitoring,” says Hughes, the assistant secretary for technology, security and operations and COO. 

“While FedRAMP has been known for years, Massachusetts is appreciative of the foresight that states like Arizona showed in 2020 to organize StateRAMP for state and local governments,” he says.

A list of StateRAMP authorized products can be viewed on the organization’s website.

gorodenkoff/Getty Images

aaa 1

Register